Description
Exponent CMS 2.4 uses PHP reflection to call a method of a controller class, and then uses the method name to check user permission. But, the method name in PHP reflection is case insensitive, and Exponent CMS permits undefined actions to execute by default, so an attacker can use a capitalized method name to bypass the permission check, e.g., controller=expHTMLEditor&action=preview&editor=ckeditor and controller=expHTMLEditor&action=Preview&editor=ckeditor. An anonymous user will be rejected for the former but can access the latter.
References (2)
Core 2
Core References
Third Party Advisory vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/94227
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/exponentcms/exponent-cms/commit/684d79424f768db8bb345d5c68aa2a886239492b
Scores
CVSS v3
7.5
EPSS
0.0017
EPSS Percentile
37.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-284
Status
published
Products (1)
exponentcms/exponent_cms
2.4.0
Published
Nov 04, 2016
Tracked Since
Feb 18, 2026